opendev/system-config
Code Issues Proposed changes
system-config/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml
Ian Wienand ecc2e9a69f
letsencrypt: pin acme.sh to 3.0.5 
We've been running against the dev branch of acme.sh since the initial
commit of the letsencrypt work -- at the time I feel like there were
things we needed that weren't in a release.  Anyway, there is now an
issue causing ECC certificates to be made and failing to renew [1]
which we can't work-around.

Pin this to the current release.  It would probably be good to pin
this to the "latest" release to avoid us forgetting to ever bump this
and ending up with even harder to debug bit-rot.

[1] https://github.com/acmesh-official/acme.sh/issues/4416

Change-Id: I0d07ba1b5ab77e07c67ad990e7bc78a9f90005a4
2022-11-29 13:11:51 +11:00

95 lines
2.8 KiB
YAML
Raw Blame History

- name: Install acme.sh client
git:
repo: https://github.com/acmesh-official/acme.sh
dest: /opt/acme.sh
version: 3.0.5
register: clone_acmesh_result
until: clone_acmesh_result is not failed
retries: 3
delay: 2
- name: Install letsencrypt group
group:
name: letsencrypt
state: present
gid: "{{ letsencrypt_gid | default(omit) }}"
- name: Install driver script
copy:
src: driver.sh
dest: /opt/acme.sh/driver.sh
mode: 0755
- name: Setup log directory
file:
path: /var/log/acme.sh
state: directory
mode: 0755
- name: Setup log rotation
include_role:
name: logrotate
vars:
logrotate_file_name: /var/log/acme.sh/acme.sh.log
- name: Setup top level cert directory
file:
path: /etc/letsencrypt-certs
state: directory
owner: root
group: letsencrypt
mode: u=rwx,g=rx,o=,g+s
- name: Create acme.sh config directory
file:
path: /root/.acme.sh
state: directory
owner: root
group: root
mode: u=rwx,g=rx,o=
# An implementation note on accounts: We could share an account key
# across all our hosts and this would be the logical place to deploy
# it. However, really the only thing you can do with an account key
# is revoke a certificate if you lose the private key. It makes more
# sense to have an account per host with key material that never
# leaves the host rather than keeping a global secret that, if leaked,
# could revoke all keys simultaneously.
- name: Check for account email
assert:
that: letsencrypt_account_email is defined
- name: Configure account email
lineinfile:
path: /root/.acme.sh/account.conf
regexp: '^ACCOUNT_EMAIL='
line: 'ACCOUNT_EMAIL={{ letsencrypt_account_email }}'
create: true
register: account_email
# If we updated the email and we have existing accounts, we should
# update the address.
# NOTE(ianw) 2020-03-04 : acme.sh dumps the 200 response json from the
# ACME api when creating an account into this file to keep track of
# the account-id. However, it doesn't actually then update it in
# response to --updateaccount although the details in the account
# *are* correctly updated. It doesn't make a difference to ongoing
# operation since all that cares about is the unchanging id, but can
# be confusing if you check this and don't see an updated email
# address. I have filed:
# https://github.com/acmesh-official/acme.sh/pull/2769
- name: Check for existing account setup
stat:
path: '{{ item }}'
loop:
- /root/.acme.sh/ca/acme-v02.api.letsencrypt.org/account.json
- /root/.acme.sh/ca/acme-staging-v02.api.letsencrypt.org/account.json
register: existing_accounts
- name: Run account update
shell: |
/opt/acme.sh/acme.sh --debug --updateaccount
when: account_email.changed and (existing_accounts.results | selectattr('stat.exists') | map(attribute='item') | list | length > 0)
View Git Blame Copy Permalink